Skip to content
  1. We help small teams achieve big things.
  2. Our Technical Fellow just became a Microsoft MVP!
  3. We run the Azure Weekly newsletter.
  4. We just won 2 awards.
  5. We just published Programming C# 8.0 book.
  6. We run the Power BI Weekly newsletter.
  7. Our NDC London 2020 talk is now available online!
  8. We are school STEM ambassadors.
Matthew Adams By Matthew Adams Co-Founder
Regulatory Compliance and Cloud Adoption

Today, we are talking about regulatory compliance and the Cloud.

The FCA closed its consultation on guidance for the adoption of Cloud services by financial institutions back in 2016.

Although these guidelines are specifically targeted at FS, they are worth reviewing by any organization that handles personal information - which basically means almost anyone who does business in the Cloud.

At endjin, we've been working with our clients, who have all moved some or all of their business to the cloud, to provide feedback to the FCA as part of this consultation process.

In this post, I've pulled out a few of our key observations.

  1. The principles are no different between on-prem, managed provider and cloud datacentresYou can produce an effective compliance plan in any of these scenarios, but there is no free lunch.
  2. Most real-world solutions are likely to be a combination of provision modelsAn awareness of the risks at the boundaries is essential to a successful compliance plan.
  3. It is not possible to get a fully isolated service from Cloud providersStandard operating procedures mean that systems may be accessed by service personnel from out-of-region, for example, and you cannot have your own isolated backbone. However...
  4. Cloud providers can lower your risk profilePhysical security, patching, redundancy, key management and disaster recovery scenarios are often more robust than internal data centres, for example.
  5. Standard Cloud provider contracts are not well-tuned for FS applicationsVendors are aware of this issue, and Microsoft in particular are willing to negotiate terms on a case-by-case basis to help overcome specific problems until an overall framework is agreed.
  6. Uncertainty around future regulatory change is a barrier to adoptionA lack of clarity around the direction of future regulation, or the application of existing regulation, creates a climate of uncertainty which tends to retard any change agenda.
  7. Requirements for a vendor-migration plan are restrictiveThe lack of standardization between IaaS, PaaS and SaaS services from different vendors makes a vendor-migration plan seem challenging. This requirement needs to be addressed as a core part of the solution architecture.

These seven points are the tip of the iceberg when it comes to implementing regulatory guidelines. If you are interested in discussing any of these issues, then get in touch - we'd love to hear your perspective. It is notable that there are relatively few detailed FS cloud case studies, and we aim to do something about that with great clients like Milliman and Hymans Robertson.

If you enjoyed this post, please consider sharing it on social media using the buttons below. Thanks!

Matthew Adams

Co-Founder

Matthew Adams

Matthew was CTO of a venture-backed technology start-up in the UK & US for 10 years, and is now the co-founder of endjin, which provides technology strategy, experience and development services to its customers who are seeking to take advantage of Microsoft Azure and the Cloud.